hi @Charith (Cerbos) noticed a difference between "IsAllowed" and "QueryPlan" .. i have the following 2 policies (base and a scoped) All actions blocked in the base BUT VIEW action allowed in scoped Both resource and principal have the correct scope set. When i try to check for VIEW access using "IsAllowed" i get an ALLOWED .. but using Plan is says BLOCKED As the specs say if the answer can be resolved from the scoped policy, why is the base being queried for plan ? base.yml

apiVersion: <http://api.cerbos.dev/v1|api.cerbos.dev/v1>

resourcePolicy:

resource: interactions

version: default

rules:

- actions:

- "*"

roles:

- poweruser

effect: EFFECT_DENY

scoped.yml

apiVersion: <http://api.cerbos.dev/v1|api.cerbos.dev/v1>

resourcePolicy:

resource: interactions

version: default

rules:

- actions:

- VIEW

roles:

- poweruser

effect: EFFECT_ALLOW

scope: T00101581-3dd4-40b8-a2e3-175624586f85

{

"requestId": "123123",

"principal": {

"id": "123",

"roles": [

"poweruser"

],

"attr": {},

"scope": "T00101581-3dd4-40b8-a2e3-175624586f85"

},

"resources": [

{

"resource": {

"kind": "interactions",

"id": "123",

"scope": "T00101581-3dd4-40b8-a2e3-175624586f85",

"attr": {}

},

"actions": [

"VIEW"

]

}

]

}

Hey the query plan in the playground doesn’t support scopes right now. Do you get the same result when you run the PDP locally?

Yep, I think it's the Playground. It works locally

cat <<EOF | curl --silent "<http://localhost:3592/api/plan/resources?pretty>" -d @-
{
  "requestId": "query-plan",
  "resource": {
    "kind": "interactions",
    "scope": "T00101581-3dd4-40b8-a2e3-175624586f85"
  },
  "principal": {
    "id": "123",
    "roles": [
      "poweruser"
    ]
  },
  "action": "CREATE",
  "includeMeta": true
}
EOF

{
  "requestId": "query-plan",
  "action": "CREATE",
  "resourceKind": "interactions",
  "filter": {
    "kind": "KIND_ALWAYS_ALLOWED"
  },
  "meta": {
    "filterDebug": "(true)",
    "matchedScope": "T00101581-3dd4-40b8-a2e3-175624586f85"
  }

There is a pending item to add scope - will bump it up the list

hey guys, in that case i am confused 😞 While curl/postman gives ALWAYS_ALLOWED, running the same code in golang and invoking the api "PlanResources" gives a different result, try the following code :

c, err := client.New("localhost:3593", client.WithPlaintext())

if err != nil {

log.Fatalf("Error creating Cerbos client: %v", err)

}

roles := []string{"poweruser"}

resp, err := c.PlanResources(context.Background(),

client.NewPrincipal("123").WithRoles(roles...).WithScope("T00101581-3dd4-40b8-a2e3-175624586f85"),

client.NewResource("interactions", "id").WithScope("T00101581-3dd4-40b8-a2e3-175624586f85"),

"VIEW")

fmt.Println(resp.Filter.Kind)

Oh it looks like a bug in the Go client. The scope is not being set on the resource 🙁. We'll get it fixed ASAP.

Thanks a lot charith, thought I was loosing my mind 😄

The fix has landed, thanks to @Dennis (Cerbos). It'll take a few days for us to do a release, but, you can use it right away if you don't mind using the

main

branch (

go get <http://github.com/cerbos/cerbos/client@main|github.com/cerbos/cerbos/client@main>

)

thanks charith/dennis, appreciate the quick turnaround.. will wait for the release :)

Hey, we are waiting for another fix that we want to include in the release and it's taking a little longer than expected. Hopefully it will be done this week. If you're in a hurry, it's quite safe to use the SDK from

main

until the next release because we are pretty serious about maintaining backward compatibility.

hi @Charith (Cerbos) tried pulling in the latest cerbos (from main) and building.. and see this error: # github.com/cerbos/cerbos/internal/observability/logging 119 Error: ../../../go/pkg/mod/github.com/cerbos/cerbos@v0.22.1-0.20221111075933-f61a749212c4/internal/observability/logging/logging.go101105: undefined: atomic.Bool 120 Error: ../../../go/pkg/mod/github.com/cerbos/cerbos@v0.22.1-0.20221111075933-f61a749212c4/internal/observability/logging/logging.go12024: undefined: atomic.Bool 121 note: module requires Go 1.19 122 Error: Process completed with exit code 2.

Which version of Go are you on?

1.18

I see. I am guessing you can't use the

v0.22.0

SDK either then?

mm we are on 21 .. and i tried moving to main and had that issue.. havent tried 22 TBH

Yeah, It looks like we accidentally used a Go 1.19 feature in one of the features we introduced in 0.22. I'll see if it can be reverted back.

thanks 🙂

Hey, if you didn't see the announcement already, we released a new version yesterday that includes the scope fix to the SDK.